Hi all,Just wondering what kind of rules you guys implemented for the case of flooding LEM with logs.
I would guess a rule with stopping collecting logs after x incoming logs. Have u made something like that?
cheers
MisterKanister
Hello Andreas,
There aren't any rules to get the LEM to stop receiving logs, but how many logs the LEM can handle per day are constrained by resources.
LEM is designed as a compliance and reporting tool, so the intention is to log everything that is sent to the LEM if it can.
We do have some rules that you can use to help monitor the LEM, or if you have a tool such as NPM you can monitor the LEM via SNMP.
If you have additional information on what you're trying to do I may be able to suggest an alternative.
Hi,
Thx for your suggestion, my idea behind was, what happens if a hacker detects the LEM agent on servers and by this reason floods the LEM with info/logs..., like a DDOS Attack, just in the way with syslogs etc.
possible scenario or not?
Andreas
Theoretically something you may run into, but nothing that I've seen (at least no deliberate attacks targeting the LEM).
Ultimately there isn't a way for the LEM to limit the logs that it's receiving. There's no threshold to set or rule to enable to shut down the agent service after so many events, etc. You could theoretically set some rules up to do this, but I imagine that the event threshold would have to be very high, and possibly affect performance in its own right, otherwise the agent would shut down more often than would be useful (false positives here would stop the agent logging at all).
Not sure if it's been requested before, but if you don't see a related feature request you could submit it here via Thwack.
Thanks for your thoughts
